When scanning an endpoint in SOAR how to you get a credential scan? I can start a scan via SOAR playbook but its not a credential scan.
@wisconsin it's likely the app wasn't built with that requirement in-mind. However, there is nothing stopping you expanding the app to include this capability. All you need is SOAR v5.x and the Tenable API docs!
The code for scan_endpoint action includes this JSON with a 'credentials' key:
scan_data = {
"name": "Scan Launched from Phantom",
"repository": {"id": scan_repository_id},
"schedule": {"start": scan_start, "repeatRule": "FREQ=NOW;INTERVAL=1", "type": "now"},
"reports": [],
"type": "policy",
"policy": {"id": scan_policy_id},
"zone": {"id": -1},
"ipList": str(ip_hostname),
"credentials": [],
"maxScanTime": "unlimited",
}
However, it's not populated by any code, meaning the update should be simple; add the relevant inputs for the action (maybe a boolean to include credentials or not, then use the other config params), add the logic to the _scan_endpoint action code and you should be golden.
This should help with adding new inputs to the action: https://docs.splunk.com/Documentation/SOARonprem/5.3.2/DevelopApps/Overview